SOLVED

Pricing Calculator for Microsoft Sentinel

Occasional Contributor

Hi everyone, I am using the Pricing Calculator for Microsoft Sentinel.

I can see the pricing split into two parts - Azure Monitor and Microsoft Sentinel.

In my understanding, Microsoft Sentinel will process the log stored in the Log Analytics Workspace. The Cost is based on the log size in the Log Analytics Workspace. It may not relate to the Azure Monitor part. The Pricing Calculator will charge the Azure Monitor part because Azure Monitor and Microsoft Sentinel share the same Log Analytics Workspace?

Basically, I am not using Azure Monitor.  Any method to reduce the cost of the Azure Monitor part?

CyrilChu_0-1654489246005.png

 

11 Replies
best response confirmed by CyrilChu (Occasional Contributor)
Solution

Hello @CyrilChu,

 

The pricing is split into two parts - Azure Monitor and Microsoft Sentinel because:

Azure Monitor is considered to be the "Ingestion" part (GB of logs that are ingested into Log Analytics Workspace) and Microsoft Sentinel is the SIEM system itself that operates logs, queries, workbooks, connectors etc.

Hello @mikhailf,

Can I simply understand it as Azure Monitor = Log Analytics Workspace (log data storage)?

@CyrilChu 

 

I understand it like this: Azure Monitor = Log Analytics Workspace (log data ingestion).
Not storage. For Storage, Microsoft has another part in its calculator :)

@mikhailf

Thanks a lot, I have one more question.
If I use Microsoft lighthouse to share the resource group (Microsoft Sentinel and Log Analytics Workspace) with another tenant, will it charge two Sentinel costs?
As far as I know, if you have 2 subscriptions and 2 Sentinels and use LightHouse to connect one Sentinel to another, you will still have to pay for both of them.
Because these are two separate Sentinels.
For example, you are a SOC company and have a customer who has Sentinel. And you want to connect your customer's Sentinel to your to see and manage data in your own system. The customer will have to pay for his Sentinel.
@mikhailf,
I am not sure it have 2 Sentinels, the current situation is Customer Company use belows link to share his Resource group (Include Log Analytics Workspace and Already add Microsoft Sentinel to the workspace) to SOC Company.
https://github.com/Azure/Azure-Lighthouse-samples
As far as I know, we need to add Microsoft Sentinel to a workspace after you create a Log Analytics Workspace. SOC Company itself did not add Microsoft Sentinel to any workspaces before. SOC Company can connect to customer's Sentinel via lighthouse directly. We don't need to add Microsoft Sentinel to customer's workspace.
For this situation, it still count as two separate Sentinels?
If the SOC company doesn't have Sentinel installed, so you won't have to pay for it.
You can use both scenarios.
1. You have LAW + Sentinel and SOC connects to your Sentinel via Lighthouse (so you pay only for 1 Sentinel on your side)
2. You have LAW + Sentinel and SOC has its LAW + Sentinel that is fully integrated with your Sentinel. In that way, the SOC can see logs from your Sentinel in their own one (they can create rules, workbooks, etc.)
@mikhailf,
May I know the Sentinel is which component of Azure? a resource under the resource group?
I cannot find the Sentinel in the resource group or application. Since the lighthouse connection uses a resource group base. How can I make sure that I am using the customer's Sentinel instead of SOC Sentinel?
The major ways Sentinel pricing can be affected:

1. Size of logs ingested per day
2. Type of logs
3. Location of Log Analytics deployment
4. Number of E5, A5, F5 and G5 licenses
5. Free Data Sources
6. Log Data Retention
7. Type of Retention


Size of logs ingested per day
Simply the more you ingest into Sentinel per day, the more cost you will have to pay. My advice would be to instead of ingesting everything in one go, try understanding the risks for the company and create a phased plan for data ingestion.

Type of Logs
We can ingest two types of logs into Sentinel – Basic and Analytical. The analytical logs are what we ingest generally and can use them for alerting. The basic logs cannot be used for alerts, have limited KQL capability and have search queries concurrency limits. Cost of basic logs is significantly less than analytical logs with reduction of up to 75%.

Location of Log Analytics deployment
There is some difference to costs depending which location is data stored for log analytics workspace. For e.g., per GB pay as you go price for Switzerland is around 5£ v/s UK South which is £4.5

Number of E5, A5, F5 and G5 licenses
Microsoft 365 E5, A5, F5 and G5 Security customers can receive a data grant of up to 5MB per user/day to ingest Microsoft 365 data. This includes AD sign in and audit logs, 365 advanced hunting data and couple more.

Free Data Sources
Some Microsoft 365 data sources are free for everyone like azure activity, office 365 audit, alerts from defender 365 and cloud etc.

Log Data Retention
We can choose per data source the time we want it to be stored for our searching. The default is set to 730 days and can be changed for all using log analytics workspace OR using PowerShell for individual sources.

Type of Retention
The priciest is the active storage where you can search effectively. Additionally, we can either use archive function of sentinel OR can export data to others like azure data lake etc which is cheaper than active storage, but we must go through some hoops to search the data.
@CyrilChu Sentinel is a resource create on top of a Log Analytics Workspace. It is deployed to the same resource group where that particular log analytics resides.
Azure Lighthouse does not incur any charges, it is just used to view multiple resources in a single pane of glass.